Volerion logoVolerion
Volerion logoVolerion

Go SSH Global Request Response Handling Buffer Overflow Vulnerability Leading to Resource Leak

Vulnerability

A vulnerability exists in the Go programming language's SSH implementation, specifically in the 'golang.org/x/crypto' package prior to version 0.52.0. This vulnerability allows a malicious SSH peer to send unsolicited global request responses, which can fill an internal buffer and block the connection's read loop. As a result, the goroutine handling the connection cannot be released by calling Close(), leading to a resource leak for each affected connection. This issue has been addressed by discarding unsolicited global responses.

Impact

Exploitation of this vulnerability can cause a deadlock in the SSH server, as the connection's read loop is blocked by the unsolicited global request responses. This blockage prevents the normal release of resources, causing a leak for each connection that is affected.

Remediation

Users can update to version 0.52.0 or later of the 'golang.org/x/crypto' package to address this vulnerability.

Added: May 22, 2026, 4:40 AM
Updated: May 22, 2026, 4:40 AM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
0.6
exploitability
5.3
remediation
7.7
relevance
9.0
threat
3.2
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.